Gaute65 Skrevet 28. juni 2007 Del Skrevet 28. juni 2007 Har fått beskjed fra Telenor at det er unormal trafikk fra kontoen vår. Siden det er bare en Windows maskin oppsatt er den den mistenktre. Har kjørt, AVg, Norton 2007, og SAS uten å finne noe. Alle kjørt i sikker modus. Ved oppstart av Opera så skanner avg mange eposter sendt via autopop3. Etter at jeg har fjernet alle epost kontoer fra Opera skjer ikke det lenger. Har kjørt Rootck: Klikk for å se/fjerne innholdet nedenfor 8.06.2007 21:23:37,19 The rootkits that are detected by this tool were not found. ********************************* ROOTCHK-LOG-end catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-28 21:23:38 Windows 5.1.2600 Service Pack 2 scanning hidden processes ... scanning hidden services ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run msnmsgr = "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background??e?r scanning hidden files ... hidden processes: 0 hidden services: 0 hidden files: 0 Har kjørt hijackthis: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 21:42:20, on 28.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe d:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe d:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe d:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe d:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\Prevx2\PXAgent.exe C:\WINDOWS\System32\svchost.exe d:\Programfiler\Belkin\Belkin Wireless Network Utility\WLService.exe d:\Programfiler\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE D:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe C:\Programfiler\Prevx2\PXConsole.exe C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Skype\Phone\Skype.exe C:\Programfiler\MSN Messenger\msnmsgr.exe D:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\Programfiler\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe D:\test\test.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.c2i.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O1 - Hosts: 64.237.37.47 auto.search.msn.com O1 - Hosts: 64.237.37.47 auto.search.msn.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Programdata\Prevx\pxbho.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [PrevxOne] "C:\Programfiler\Prevx2\PXConsole.exe" O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] d:\PROGRA~2\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Belkin Wireless USB Utility.lnk = D:\Programfiler\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZN O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.c2i.net/ O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientIn...2/OCI/setup.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136927748162 O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (Music Manager) - http://img.od2.com/installation/PluginName...nagerPlugin.CAB O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Automatisk LiveUpdate-planlegging - Symantec Corporation - C:\Programfiler\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - d:\Programfiler\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Programfiler\Prevx2\PXAgent.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe O24 - Desktop Component 0: (no name) - http://map.avinet.no/output/NorgeNo1375_37...165_6650231.gif -- End of file - 7533 bytes Har fjernet Norton, ser at det ligger rester igjen, skal fjerne det. Noen gode råd? Lenke til kommentar
Gjest medlem-105082 Skrevet 28. juni 2007 Del Skrevet 28. juni 2007 Hei. Var en del rusk her, ja Så nå må vi rydde litt. Åpne 'legg til å fjern programmer' og se om du har noe som heter my web search . Avinstaller hvis du finner det. Så søker du etter disse mappene på PC'en: FunWebProducts MyWebSearch Hvis du finner, slett de. Last ned CWShredder og kjør programmet. Kjør så Hijackthis og slett: Klikk for å se/fjerne innholdet nedenfor O1 - Hosts: 64.237.37.47 auto.search.msn.com O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZN O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab Kjør så SAS i normal modus og legg ut en ny Hijackthis logg sammen med en SAS logg (Preferences->statistics/logs) Lenke til kommentar
Gaute65 Skrevet 29. juni 2007 Forfatter Del Skrevet 29. juni 2007 Takk for hjelpen My web search var ikke installert, slettet de to mappene. Shredder fant to ting og fjernet dem. SAS logg: Klikk for å se/fjerne innholdet nedenfor SUPERAntiSpyware Scan Loghttp://www.superantispyware.com Generated 06/29/2007 at 01:15 AM Application Version : 3.9.1008 Core Rules Database Version : 3262 Trace Rules Database Version: 1273 Scan type : Complete Scan Total Scan Time : 01:36:30 Memory items scanned : 377 Memory threats detected : 0 Registry items scanned : 5325 Registry threats detected : 0 File items scanned : 43442 File threats detected : 0 HJT logg: Klikk for å se/fjerne innholdet nedenfor Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 01:22:36, on 29.06.2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe d:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe d:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe d:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe d:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe d:\Programfiler\Belkin\Belkin Wireless Network Utility\WLService.exe d:\Programfiler\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programfiler\Prevx2\PXAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\RUNDLL32.EXE D:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe C:\Programfiler\Prevx2\PXConsole.exe C:\WINDOWS\system32\ctfmon.exe C:\Programfiler\Skype\Phone\Skype.exe C:\Programfiler\MSN Messenger\msnmsgr.exe D:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\Programfiler\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe C:\Programfiler\Mozilla Firefox\firefox.exe C:\Programfiler\Windows Media Player\wmplayer.exe C:\WINDOWS\system32\notepad.exe D:\test\test.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Programdata\Prevx\pxbho.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [HP Software Update] C:\Programfiler\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~2\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [PrevxOne] "C:\Programfiler\Prevx2\PXConsole.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Programfiler\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] d:\PROGRA~2\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOKAL TJENESTE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Belkin Wireless USB Utility.lnk = D:\Programfiler\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/ClientIn...2/OCI/setup.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136927748162 O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (Music Manager) - http://img.od2.com/installation/PluginName...nagerPlugin.CAB O20 - Winlogon Notify: !SASWinLogon - D:\Programfiler\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Programfiler\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~2\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~2\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - d:\PROGRA~2\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - d:\Programfiler\Belkin\Belkin Wireless Network Utility\WLService.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Programfiler\Fellesfiler\Symantec Shared\ccSvcHst.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Programfiler\Prevx2\PXAgent.exe O24 - Desktop Component 0: (no name) - http://map.avinet.no/output/NorgeNo1375_37...165_6650231.gif -- End of file - 5779 bytes Lenke til kommentar
Gjest medlem-105082 Skrevet 29. juni 2007 Del Skrevet 29. juni 2007 Har du fortsatt noe problemer? Merker du unormal treghet, popup osv? Lenke til kommentar
Gaute65 Skrevet 29. juni 2007 Forfatter Del Skrevet 29. juni 2007 Har du fortsatt noe problemer? Merker du unormal treghet, popup osv? 8967110[/snapback] Ingenting. Da regenr jeg med at alt er i orden. tusen takk for hjelpen. Lenke til kommentar
Gjest medlem-105082 Skrevet 29. juni 2007 Del Skrevet 29. juni 2007 Det høres bra ut. Du får komme tilbake hvis du hører noe mer fra Telenor eller merker noe unormalt Du bør nullstille gjenopprettingsmappa slik at du ikke blir infisert ved en evt. systemgjenoppretting. Kontrollpanel->system->systemgjenoppretting . Sett merke framfor "Slå av Systemgjenopprettingen .....", restart pc, fjern merket igjen for å aktivere funksjonen. Ha en fin dag Lenke til kommentar
Gaute65 Skrevet 29. juni 2007 Forfatter Del Skrevet 29. juni 2007 Alt fungere fint nå. Telenor har gitt full tilgang på alt nå, så verden smiler. Takk for hjelpen Lenke til kommentar
Gjest medlem-105082 Skrevet 29. juni 2007 Del Skrevet 29. juni 2007 Ingen årsak Surf trygt. Lenke til kommentar
Anbefalte innlegg
Opprett en konto eller logg inn for å kommentere
Du må være et medlem for å kunne skrive en kommentar
Opprett konto
Det er enkelt å melde seg inn for å starte en ny konto!
Start en kontoLogg inn
Har du allerede en konto? Logg inn her.
Logg inn nå